Your answer to that question may inform your perspective on the FTC this month spanking data broker Spokeo with an $800,000 fine for marketing a service that provides consumer reports and background checks--not least to potential employers--that failed to abide by the Fair Credit Reporting Act (FCRA), which requires that information shared be accurate, used only for an allowed purpose, and that customers are informed of those requirements. The FTC also accused Spokeo of having written its own fake reviews--laudatory, of course--and then placing them on external websites and blogs.

"The FTC's settlement with Spokeo stands for the important proposition that companies cannot merely aver themselves out of the scope of FCRA--products to be used for important decisions like credit and employment must incorporate FCRA's protections to make sure those products are reliable," said Justin Brookman, director of the Center for Democracy and Technology's project on consumer privacy, in a blog post.

In response to the FTC settlement, Spokeo released a blog post titled "Empowering Spokeo's Users," in which Spokeo founder and president Harrison Tang says that the company never meant to act as a provider of consumer reports or background check information. He neglected to address the FTC's charge that Spokeo had disseminated fake reviews of its services.

Instead, Tang harkened back to the early days of the company, which he started with his Stanford roommates. He also spun his company's data collection practices as a force for consumer good. "Spokeo will continue to be a company based on innovation that empowers consumers to reconnect with family and friends, learn about celebrities and other famous people, and discover their own online footprint," he said.

Spokeo works by using "machine aggregation"--online crawlers--to collect people's personal information in a variety of ways. "Spokeo aggregates publicly available information from phone books, social networks, marketing surveys, real estate listings, and other public sources," included government census reports, "business websites," and mailing lists, according to Spokeo's privacy page. "This third-party data is then indexed through methods similar to those used by Google or Bing to create a listing. Because Spokeo only collects this data and does not create it, we cannot fully guarantee its accuracy."

Where does Spokeo's search service--which claims to have information on nearly 300 million U.S. consumers, and which Tang has likened to being a "Google for people"--end, and a consumer-reporting service begin? (For the record, consumers can opt out of having their information appear via Spokeo, but the onus is on consumers to opt out of any such service, rather than allowing them to opt in.)

Legally speaking, the FCRA defines "consumer reports" as "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living," and which is expected to be used for credit, insurance, or employment purposes, or "a legitimate business need," such as a consumer-initiated transaction.

But what's to stop a company such as Spokeo from selling consumer reports, even if they're not marketed as such? In response to that question, FTC spokeswoman Claudia Farrell said via email that the agency keeps an eye on any business offering consumer reporting agency (CRA) services--even if they're not labeled as such--to ensure that they comply with the consumer report protections required under the FCRA. "If the [business] in question is not a CRA and/or not selling consumer reports, as defined by the FCRA, they are not covered," she said. "Of course, we would look at facts on a case by case basis. A company's declaration that they are not a CRA, or that the reports they sell are not consumer reports, does not exempt them from the FCRA."

In the case of Spokeo, meanwhile, the company says that it's changed its ways, not least by ceasing to offer a background check service marketed to HR departments, recruiters, and law enforcement agencies. Spokeo's chief strategy officer Emanuel Pleitez, who joined the company earlier this year, said that until February 2010, the company had only eight employees, and was testing different business models to see which one worked. He said the company's background-check service never attracted more than about 100 customers.

After February 2010, however, he said the company retooled, and began selling only a people-search service for consumers. It also eliminated all of the accounts that had been created via its HR and background-check marketing links, and implemented a new blogging policy to ensure that any Spokeo-commissioned material that appears on the Internet is clearly labeled as such. Furthermore, while Spokeo still amasses financial information, Pleitez said it's only available for reviewing median incomes on a neighborhood by neighborhood basis.

"We obviously talked with the FTC about what had happened, and how we move forward," said Pleitez. In addition, customer service personnel received training to deactivate accounts for any customers that appear to be using Spokeo for background-check purposes, and the company details to its customers, via email, the purposes for which its service can and cannot be used. Pleitez said the company is glad that the FTC's enforcement action has been announced, so that Spokeo can move on. "At our core, we're a technology company, we want to create a cool product," he said.

But such products still pose provocative privacy questions. Indeed, while people-search products may not be consumer reports, per the FTC's definition, they can reveal a surprising amount of personal information. Accordingly, the rule for cautious consumers remains the same: beware what you share.

"Today, more and more companies are trying to mine social media when making employment and credit decisions," said Brookman at the Center for Democracy and Technology. "In many cases, the consumers themselves are putting personal information out there using Facebook, Twitter, or any number of other publishing platforms--can they credibly complain if that information later comes back to bite them?"

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.